Facebook has been paying people to install a VPN that harvests data about them
An investigation has revealed that Facebook has been paying people aged between 13 and 35 to install a data harvesting VPN tool. The "Facebook Research" VPN was offered to iOS and Android users who were paid up to $20 per month -- plus referral commissions -- to provide the social network with near-unfettered access to phone, app and web usage data (a Root Certificate is installed to give a terrifying level of access).
As news of the activity came to light, Facebook has announced that the program (sometimes referred to as Project Atlas) is being terminated on iOS, but it seems that it will be continuing on Android. If this sounds slightly familiar, you just need to think back a few months to when Facebook's Onavo Protect VPN was kicked out of the App Store for violating Apple's data collection rules.
- Try not to laugh -- for Data Privacy Day, Facebook wants you to take a Privacy Checkup
- Insiders say Mark Zuckerberg plans to unify WhatsApp, Instagram and Facebook Messenger
- Advance warning: Facebook is closing down photo-sharing app Moments in a month -- time to save your pictures!
The investigation was carried out by TechCrunch. It found that Facebook has been using the research program for some time to "gather data on usage habits". Facebook's Research was made available through a range of beta testing services, and in this way the app was able to "sidestep" the App Store. TechCrunch says that users were asked to install the app and provide "root access to network traffic in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity".
While Facebook has said it will close down the iOS branch of its Research program, it is not clear if this is being done voluntarily, or whether Apple has leaned on the company. It also seems that the Android side of things will continue to run -- at least for the time being.
Speaking to TechCrunch, Will Strafach from Guardian Mobile Firewall said:
If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps -- including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.
An agreement users of one of the beta services signed up to gives a glimpse into the depth of the data collection:
By installing the software, you're giving our client permission to collect data from your phone that will help them understand how you browse the internet, and how you use the features in the apps you've installed. This data will only be used by our client, and won't be shared with unaffiliated third parties. This means you're letting our client collect information such as which apps are on your phone, how and when you use them, data about your activities and content within those apps, as well as how other people interact with you or your content within those apps.
What is slightly concerning (on top of the data collection itself) is, as TechCrunch's Josh Constine points out, is that people agreeing to using the beta app may not even have been aware that it was linked to Facebook:
Facebook hid its identity but had intermediaries like uTest advertise to teens on Snapchat & Instagram that they could earn money via "social media research" aka selling their privacy. 3/ pic.twitter.com/9ohODeYXxM
— Josh Constine (@JoshConstine) January 29, 2019
Strafach notes that this research project does not just have echoes of the scandalous Onavo VPN app; it appears to be precisely the same:
they didn't even bother to change the function names, the selector names, or even the "ONV" class prefix. it's literally all just Onavo code with a different UI. pic.twitter.com/ruqH69pUfq
— Will Strafach (@chronic) January 29, 2019
Facebook has taken exception to the investigation and the way TechCrunch has presented its findings. A spokesperson for the company said:
Key facts about this market research program are being ignored. Despite early reports, there was nothing "secret" about this; it was literally called the Facebook Research App. It wasn't "spying" as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.
It remains to be seen how long the Facebook Research app will remain available to Android users.